To restore credibility, NIST will audit its standards development process

The US crypto authority's name was tarnished by NSA leaks. But it wants to fix that.

On Friday, the National Institute of Standards and Technology (NIST), which sets many of the standards that cryptographers use to create robust security systems, gave notice that it would formally review its standards development process. This comes about two months after a report from TheNew York Times that the National Security Agency (NSA) may have included a backdoor in an algorithm called Dual EC_DRBG, which is used to create a widely adopted, NIST-approved encryption standard.

The fallout from the September New York Times report, which was based on internal memos leaked by former NSA contractor Edward Snowden, made many security experts wary of NIST and its standards. At the time of the report, NIST issued a statement saying that it would reopen its public vetting process for the encryption standard that was in question. “We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” a memo from the Institute read.

Now, NIST is apparently going a step further. In its latest November 1 statement, the organization promised to do a full audit of its standards development process. “Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines,” the statement read.

In order to restore that lost confidence, NIST plans to compile its “goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other important procedures necessary for a rigorous process.” It will then make its process available for review by both the public and an (as yet unnamed) independent organization.

“Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable,” NIST stated. It also promised to reevaluate its current cryptographic standards in light of its audit of the standards development process.